CAT’s Cradle – Ongoing Problems with the SEC’s Consolidated Audit Trail

In July 2012, the SEC adopted a new Rule 613 under Section 11A(a)(3)(B) of the Securities Exchange Act of 1934 (“Exchange Act”). It would require national securities exchanges and national Self-Regulatory Organizations (“SROs’) “to act jointly in developing a national market system (‘NMS’) plan to develop, implement, and maintain a consolidated order tracking system, or consolidated audit trail, with respect to the trading of NMS securities.” While the Financial Industry Regulatory Authority (“FINRA”) and the SROs did have their own audit trail systems, they were “limited in their scope in varying ways.” The answer was to create a new, truly comprehensive system:

A consolidated audit trail would significantly aid in SRO efforts to detect and deter fraudulent and manipulative acts and practices in the marketplace, and generally to regulate their markets and members. In addition, such an audit trail would benefit the Commission in its market analysis efforts, such as investigating and preparing market reconstructions and understanding causes of unusual market activity.

The many comment letters submitted in response to the proposed rule between 2010 and 2012 were favorable. Quite a few referenced the “Flash Crash” of May 6, 2010, which had spooked the markets. In fact, the initial proposed rule for a consolidated audit trail appeared only ten days later, on May 26. It was hoped that a consolidated audit trail could prevent similar future events. Some commenters wondered how investors’ privacy would be protected. The Commission addressed those concerns only once in the final rule:

Commenters have expressed concerns regarding the risk of failing to maintain appropriate controls over the privacy and security of consolidated audit trail data. Accordingly, the adopted Rule requires the NMS plan to include additional policies and procedures that are designed to ensure the rigorous protection of confidential information collected by the central repository.

Over the years, the voices of those concerned investors have become louder. While the data held by the SROs has been relatively safe, the hacking of cryptocurrency exchanges has become commonplace. Many more individuals have had their own accounts hacked, and incidents of ransomware attacks have increased exponentially. Fourteen years have passed since the new rule appeared, and work on CAT, as it’s called, has begun, but the system is not yet operational. In August 2020, the SEC proposed a data security rule that would enhance the safety features of CAT, but it hasn’t yet been adopted. Although the idea of an audit trail, as originally described in 2010, seems innocuous, it isn’t just a big database that presents what it collects as metadata. It contains a great deal of “PII,” or “personally identifiable information.” It’s included because the SEC and the SROs want to use that information to catch crooks: market manipulators, fraudsters, and more. But its mandate is to grab pretty much everything, so that means a great deal of information about everyone who trades securities will be known to CAT and to its users.

According to the amendments proposed in 2020, there’s nothing to worry about. The original plan to require CAT to collect SSNs and ITINs has been abandoned. Complete birthdates will not be required; only the year of birth. There’s more, all of it designed to reassure the wary, but most of the changes appear to be semantic rather than… real.

The Commission proposes the following additional amendments to reflect the revised reporting requirements for Industry Members: the defined term “Customer Attributes,” would replace the defined term “Customer Identifying Information” and “Account Attributes” would replace the defined term “Customer Account Information” to more accurately reflect the data elements being reported by Industry Members; and a newly defined term “Customer and Account Attributes” would be defined to include all the data elements, or attributes, in both “Customer Attributes” and “Account Attributes.” Finally, as a result of the changes to the Customer and Account Attributes that are reported to and collected by the CAT, which will no longer require the reporting of the most sensitive PII, the Commission proposes to delete the defined term “PII” from the CAT NMS Plan.

A summary of the 438-page proposal aids in its digestion. Then-Chair Jay Clayton said gamely that data security was an “essential pillar” of the CAT, but many of those for whom it was intended disagreed. 

The comment letters are almost uniformly negative. Even the SROs, except for FINRA, find the whole thing unworkable, dangerous, and too expensive. The NYSE objects that “Neither the Commission’s original Proposal nor FINRA CAT’s Alternative Proposal is legally permissible under the securities laws, and each would contravene the goals the Commission stated when it proposed and adopted Rule 613 and when it approved the CAT NMS Plan.” Nearly every commenter gives lip service to the hoped-for usefulness of CAT, but also expresses alarm at the dangers baked into the system. That, no doubt, explains why the 2020 amendments to the rule have not been adopted. 

But what does the Commission have in mind? As of this moment, CAT is scheduled to become fully operational on May 31, 2024, according to SIFMA. SIFMA, the leading trade association for broker-dealers, investment banks, and asset managers in the U.S., is one of the few affected organizations that would like to see the 2020 proposals made effective. But it isn’t enthusiastic, saying “[i]t is an appalling failure of investor protection for the SEC to not adopt that proposal to enhance the security of the CAT, especially since the SEC has had nearly four years to do so.” As things stand, investors’ PII will be available to anyone who has access to CAT. SIFMA wants the system changed so that regulators would have to ask broker-dealers for “the identity of investors engaged in potentially problematic trading activity on an as-needed request-only basis, rather than maintaining such data in the CAT.” But isn’t that how it works now, and how it’s always worked?

Somewhat surprisingly, Republican Commissioner Hester Peirce supported the proposals, but reluctantly, saying she’d have preferred that stronger measures be taken. With her characteristic bluntness, she continued:

As I have said elsewhere, the CAT treats every American as a presumptive wrongdoer.  The CAT will watch everything you do in the securities marketplace, record it for employees of the SEC and self-regulators to monitor, and store it in databases that hackers undoubtedly will attack.  The discomfort we feel about similar monitoring in other marketplaces is something we should also feel when the government watches our every move in the financial markets.

In July 2022, Peirce voted in favor of granting temporary exemptive relief to give CAT time to fix some implementation issues, but reiterated her worries about the database:

With respect to security, I plead with my fellow regulators to rethink the wisdom of creating a massive database of information that hackers may try to exploit for their nefarious ends. Given these concerns, my preference would be to see the project placed in the SEC’s catacombs—dead and buried forever.

CAT, which is being developed by FINRA, now has its own website where it offers users the latest updates, and displays a list of participants in the program. The site exists chiefly for those participants and is highly technical.

The Lawsuit

On April 16, 2024, the New Civil Liberties Alliance (NCLA), which describes itself as an enemy of the “Administrative State”—known to many as the “Deep State”—and champion of freedom-loving Americans, “unleashed” a lawsuit to, as it said, “take down SEC’s mass data collection machine.” The purpose of the suit is to stop the development of CAT, which it says “runs roughshod” over the constitutional rights of investors. It’s bringing the suit in the name of its clients Erik Davidson, John Restivo, and the National Center for Public Policy Research. The defendants are Gary Gensler, in his official capacity as Chairman of the SEC, the SEC itself, and Consolidated Audit Trail, LLC. 

NCLA was founded in 2017, and, according to Bloomberg Law, is backed by conservative activist Leonard Leo and billionaire Charles Koch. The National Center for Public Policy Research has been around for much longer; it was founded in 1982. It calls itself a “non-partisan, free-market, independent conservative think tank.” Scott Shepard, director of the National Center’s Free Enterprise Project, noted hotly, “The idea that this SEC can be relied on not to abuse this vast cache of financial information for which it has no legitimate use is laughable. We’re delighted that in joining this case we can rely on NCLA’s brilliant minds and impressive record of success to fight against these unjustifiable invasions of privacy and decency.” 

Erik Davidson is an assistant professor of Finance at Baylor University. He’s also an adviser to Inspire Investing, an instructor and curriculum consultant for the American Bankers Association, and provides consulting services on wealth and investment management. John Restivo, the last plaintiff, is a real estate developer who lives near Waco. The suit was filed in the U.S. District Court for the Western District of Texas, Waco Division. The suit is described in the caption as a Class-Action Complaint for Declaratory, Injunctive, and Mandamus Relief.

The complaint is long and comprehensive. It immediately gets to what may turn out to be one of NCLA’s most persuasive arguments: that the SEC’s Rule 613, proposed in 2010 and adopted in 2012, was created without any statutory authority. It points out that if completed as planned, CAT would be the largest database in the United States except for the NSA’s, and adds: “Unlike NSA, however, SEC entirely lacks the authority, history, or special oversight structure that permits it to engage in the seizure and surveillance of private information.”

The complaint goes on to enumerate the ways in which CAT violates the constitution. First, the Fourth Amendment is cited:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The “papers” of the late 18th century are equivalent to today’s “data.” NCLA is no doubt right in saying the founding fathers would not have been happy about CAT. Are we so accustomed to the many intrusions our use of the internet has brought into our lives that we barely notice one more, and don’t really care? Even 50 years ago, it’s likely most of us would have been alarmed if told that in the not-too-distant future, we could view bank accounts and brokerage accounts and make transactions in them. We all know people who, only 20 years ago, resisted paying bills online, preferring to send a check. But all that has changed. There are even banks and brokerages that have no physical location that can be visited, not to mention countless entirely virtual businesses. Most of us no longer even think about it, except to occasionally mourn the loss of another brick-and-mortar store we once enjoyed visiting.

The History

The SEC was created in 1934 to regulate our capital markets. Confidence in those markets had been badly shaken by the crash of 1929, and the new Roosevelt Administration believed something had to be done. First, the Securities Act of 1933 (“Securities Act”) required companies to engage in public offerings to furnish prospectuses to prospective investors. Second, the Securities Exchange Act of 1934 (“Exchange Act”) put Joseph Kennedy in charge of a new regulatory agency called the Securities and Exchange Commission. Registration statements and many other kinds of filings—their number grew over the decades—had to be filed with them. The object was to ensure transparency on the part of issuers. It was hoped that companies required to provide audited financial statements wouldn’t try to cook their books. Obviously, both the ‘33 and ‘34 Acts were laws passed by Congress, not rules cooked up by a government agency. 

NCLA points out that the SEC has always had enforcement powers and is lawfully permitted to conduct investigations. The regulator can obtain information about private individuals’ trading by making “blue sheet” requests. To do so, it must have “an articulable basis to investigate possible violations of the securities laws.” The scope of the underlying investigation limits the number of requests it may make. The SEC can also obtain information by issuing administration subpoenas. In order to do that, it needs to show some facts indicating a violation of the law. Only then can it issue a “formal notice of investigation” and begin to issue subpoenas. The process is explained in its Enforcement Manual

The complaint notes that the flash crash of 2010 was clearly what prompted the SEC to propose Rule 613, and that its proposal was unlike anything considered by the agency in the past. What NCLA considers to be a fundamental break with past practices is that Rule 613 would allow the SEC real time access to whatever data it wanted “without any need to obtain a warrant, issue a subpoena, or even have cause to suspect an investor of wrongdoing.” They add to their list of possible unintended consequences the chance that a bent SEC employee might use his access to figure out proprietary trading strategies, or to undermine a successful trader he disliked, or who someone had paid him to sabotage. 

Very few people are unaware of the dangers presented by insecure databases. While they’re periodically tested for potential vulnerabilities, some will be caught, while others may lurk out of sight. On September 20, 2017, Chair Jay Clayton issued a “Statement on Cybersecurity” and two related press releases. One of them was about the continuing investigation of a 2016 hack of the SEC’s EDGAR reporting system. A Ukrainian hacker and six traders in California, Ukraine, and Russia had broken into the system and helped themselves to information that was not yet in the public domain. As a result, they cleaned up on the trades they immediately placed. The intrusion was not announced by the SEC until 2017. The culprits were charged in 2019. At the same time, the Department of Justice brought parallel criminal charges.

Only a few months ago, on January 9, the SEC’s X social media account was hacked, and the hackers used a technique called “SIM swapping” to announce, in the name of the agency, that Bitcoin ETFs had been approved. Bitcoin soared, and then crashed when, a short time later, the agency announced the “news” wasn’t true.

It isn’t just conservative think tanks and the conservatives who staff them who are worried about data security. Liberals and liberal organizations are as well. The American Civil Liberties Organization (ACLU) wrote to the SEC in late 2019 to express its own concerns about the CAT project. It explained what it saw as problems in detail. 

First, to avoid making investors’ personal information available to all users of the site, it suggested that every individual involved be assigned a unique identifier, called the CAT Customer ID. Second, it felt far too many people at each of the 25 SROs would have access to the database without having to show a specific reason that access was needed. Third, anyone with access could also download information in bulk without limitation. The ACLU believes “The SEC should limit SRO and exchange access to the CAT to only trading activity for their respective exchange(s), and only the SEC and FINRA should access the customer database. The SEC should also ensure that CAT data can only be accessed within the CAT’s secure environment that is managed by FINRA CAT and should provide that the data can never be extracted from that environment.” Finally, each SRO should be required to limit access to CAT to users who are given special training. 

All that is bad enough. But what about the problem of cost? Enormous databases aren’t free. Back when CAT was dreamt up in 2010, it was projected that its implementation would cost $4 billion, and its annual ongoing cost would be about $2.1 billion. These are just estimates; actual costs have risen, as they tend to do, over the years. 

How to Solve the Problem

NCLA has carefully and convincingly laid out the purpose and design of the CAT program and has also gone into detail about its dangers. Surely, nearly everyone can understand that those dangers are very real and could wreak havoc on our financial sector and our personal finances as well. We all know people who’ve had their email accounts hacked, or their credit card numbers recalled because of a leak in their bank or card company’s database. Worst of all, some have had their identities stolen. And that happens to ordinary people just living their lives. CAT, unlike real felines, will be prey for every apex predator out there, because it will hold the keys to our capital markets. 

We have no solution to offer, but we do understand the risk of implementing a system that cannot be assured of being safe. NCLA, the ACLU, and every other institution or individual who’s sounded a warning has our appreciation. As Hester Peirce said in another of her statements on CAT: 

The dollars, distraction, dissension, and drain of endless meetings over the past several years of CAT implementation are reasons enough to reconsider the entire project; the risks to liberty and security posed by the project should compel us to do so.

We urge the SEC and the SROs to get it right before rushing to implementation, which is, as noted above, scheduled for the end of May 2024.

Category: Blog Posts

Subscribe to our Newsletter

As Featured By: Quicken Small Business





Hamilton & Associates Law Group
101 Plaza Real South
Suite 202 North
Boca Raton, Florida 33432
Phone: 561-416-8956
Fax: 561-416-2855
https://www.securitieslawyer101.com
[email protected]
Categories
A+ Offerings and SEC Compliance
A+ SEC Reporting Requirements
A+ Reporting and Disclosure
A+ Secondary Sales
Accredited Crowdfunding
Accredited Investor Defined
Accredited Investor Verification
CF Crowdfunding SEC Reporting Requirements
Confidential Registration Statements
Control Person and Control Securities
Coronavirus - COVID-19
Coronavirus, SEC Extensions and Disclosures
Crowdfunding During Coronavirus - COVID-19
Corporate Hijackings
Crowdfunding
Crowdfunding Portals and Platforms
Direct Public Offering
Direct Public Offering Attorneys
Direct Public Offering SEC Reporting
Dormant Issuers
Draft Registration Statements
DTC Chills and Global Locks
DTC Eligibility
Dual Listing OTC Markets OTCQX
Due Diligence
Equity Crowdfunding
Exempt Direct Public Offerings
FINRA Rule 6490
Form 1-A of Regulation A
Form 3 Insider Report
Form 5 Insider Report
Form 10 Registration Statement
Form 10 Shell Companies
Form 10 Shell Risks
Form 10 SEC Reporting Requirements
Form 10-K
Form 10-Q
Form 211, FINRA Rule 15c-211
Form 8-A
Form 8-K
Form 12b-25
Form D
Form D Amendments
Foreign Private Issuers and Form F-1
Form F-1 Registration Statement
Form F-1 Registration Statement and Going Public
Form S-1 Registration Statement - SEC Review
Form S-1 Comments
Form S-1 Disclosures
Form S-1 SEC Filing
Form S-1 in Going Public Transactions
Form S-1 Quiet Period
Form S-1 Risk Factor Disclosures
Form S-1 SEC Review Process
Form S-1 Registration Statement
Form S-3 Registration Statement
Funding Portals
Going Public Attorney
Going Public Requirements
Going Public and raising Capital
Going Public for Foreign Issuers
Friends and Family Round
Going Public Law
Going Public Lawyer
Going Public Transactions
Initial Public Offerings
Intrastate Crowdfunding
Investor Relations 101
IPO Alternatives
Linkedin
Manipulative Trading
OTC Link
OTC Markets
OTC Markets Attorney
OTC Markets Dual Listings
OTC Pink Sheets
OTCQB Listing, Eligibility, Quotation
OTCQX Listing, Eligibility, Quotation
Penny Stocks
Periodic Reporting
Private Placements
Public Company SEC Reporting Requirements
Regulation A
Registered Direct Public Offerings
Regulation A
Regulation A State Blue Sky Requirements
Regulation A Offering Caps
Regulation A Form 1-A Disclosures
Regulation A SEC Reporting Requirements
Regulation A Secondary Sales
Regulation A State Blue Sky Requirements
Regulation A Tier 2 Direct Listing
Regulation A Testing the Waters
Regulation A Q&A
Regulation A Form 1-A Disclosures
Regulation CF
Regulation CF Reporting Requirements
Regulation D
Regulation D Bad Actor Ban
Restricted Legend Removal
Restricted Stock
Reverse Mergers
Reverse Merger Game Changers
Reverse Stock Splits
Rule 10b-5 and Securities Fraud
Rule 15c-211
Rule 504 Offerings
Rule 506(b) Offerings
Rule 506(c)
Rule 506(c) Covered Persons and Bad Actors
Rule 506(c) State Blue Sky Requirements
Rule 506(c) Offerings
SEC Actions & Administrative Proceedings
SEC Comments
SEC Draft Registration Statements
SEC Form S-1 Filing Requirements
SEC Investigations
SEC Registration Statements
SEC Reporting Requirements
SEC Trading Suspensions
Secondary Registration Statements
Secondary Trading
Penny Stocks
Section 4(a)(2) Exemption - Private Offerings
Section 4(a)(7) FAST Act
Seed Stockholders
Social Media
Schedule 14A
Seed Stockholders and Going Public
Schedule 14C
SEC Reporting Requirements
Selling Stockholder Disclosures
Short Sales and Regulation SHO
What Are Short Sales?
Spam, CAN-SPAM and Investor Relations
Sponsoring Market Maker, Form 211 and Rule 15c-211
Stock Scalping 101
Stock Promotion
Stock Spin-Offs
The Role of a Going Public Attorney
Twitter & Regulation A+
Wells Notices
What is Going Public?
What Is Accredited Crowdfunding?
What Are Short Swing Profits?
What Are Short Sales?
What is a Registration Statement?
What is Rule 144?
What are Restricted Securities?
What is Rule 506?
What is Form D?
What is a Private Placement Memorandum?
What is a Finder?
What is a Form 10 Registration Statement?
What is DTC Eligibility?
What is a Form S-8 Registration Statement?
What is Form 12b-25?
What are the OTC Markets OTC Pinks?
What Is the Regulation SHO Short Seller Rule?
What Is A Confidential Registration Statement?
What Are The OTC Markets?

About Us

Services
Practice Areas
Notable Representation
Going Public eBook by Securities Lawyer 101

Resources

Securities Lawyer 101 Dictionary
Securities Lawyer 101 Blog
Securities Lawyer 101 Forms
SEC Requests for Comments

The JOBS Act

Exempt Direct Public Offerings
Funding Portals
Crowdfunding
Accredited Crowdfunding
Crowdfunding Portals and Platforms
Going Public Attorney's Guide to Rule 506
Regulation D Bad Actor Ban

SEC Enforcement

SEC Actions & Administrative Proceedings
SEC Investigations
SEC Inquiries
SEC Wells Notices
Rule 10b-5
Manipulative Trading

Please Visit Our Affiliate Sites

www.jobsact101.com
www.gopublic101.com
www.gopublicdirect.com
www.reversemergers101.com

Hamilton & Associates Law Group P.A.

Going Public Lawyers
101 Plaza Real South, Suite 202 North
Boca Raton, Florida 33432
Telephone: (561) 416-8956
Facsimile: (561) 416-2855
www.SecuritiesLawyer101.com

Sitemap
RSS Feed
LinkedIn

SEC Law

SEC Comments
Spam
Restrictive Legends
Restricted Stock
Schedule 14A
Schedule 14C
Reverse Mergers
Corporate Hijackings
Dormant Issuers
Reverse Stock Splits
Reverse Merger Game Changers
Stock Spin-Offs
DTC Global Locks
Private Placements
Social Media
FINRA Rule 6490
Rule 506-c
Short Sales & Trading

Ask Securities Lawyer 101 Series

What is Going Public?
What Is Accredited Crowdfunding?
What Are Short Swing Profits?
What Are Short Sales?
What is a Registration Statement?
What is Rule 144?
What are Restricted Securities?
What is Rule 506?
What is Form D?
What is a Private Placement Memorandum?
What is a Finder?
What is a Form 10 Registration Statement?
What is DTC Eligibility?
What is a Form S-8 Registration Statement?
What is Form 12b-25?
What are the OTC Markets Pink Sheets?
What Is Regulation SHO?
What Is A Confidential Registration Statement?
What Are The OTC Markets?
What Are Short Sales?
What Is A Sponsoring Market Maker?

Subscribe to our Newsletter

OTC Markets

The Role of the Going Public Attorney
OTC Link
OTCQX Listing, Eligibility & Quotation
OTCQB Listing, Eligibility & Quotation
OTC Pink Sheets
OTC Markets

SEC Registration Statements

Direct Public Offerings
Initial Public Offerings
Due Diligence & the Going Public Attorney
Form S-1 Registration Statement
Form S-8 Registration Statement
Form S-3 Registration Statement
Draft Registration Statements
Confidential Registration Statements

Securities Exchange Act Registration

Form 10 Registration Statement
Form 8-A Registration Statement

Going Public Transactions

Going Public Law
Why Companies Need a Going Public Attorney
 Secondary Registration Statement
SEC Registration Statements
Form 211 & Rule 15c2-11
Sponsoring Market Makers
Depository Trust & Clearing (DTC)
Direct Public Offering Attorneys

Going Public For Foreign Issuers

OTC Markets Dual Listings
EB-5 Program & Going Public
Form F-1 Registration Statement
OTCQX Listing, Eligibility & Quotation

Public Company SEC Reporting

Form 10-K
Form 10-Q
Form 8-K

Copyright © 2024 · All Rights Reserved · Hamilton & Associates Law Group, P.A.